-1

From the database I receive the following text:

<div onclick="alert('código inyectado');">Texto</div>

[img]http://www.hobbyconsolas.com/sites/hobbyconsolas.com/public/media/image/2015/07/503196-halo-5-guardians-nuevos-datos-campana-cooperativa.jpg[/img]

Y aquí una URL: [url]https://www.google.es/?gws_rd=ssl[/url]

Bueno pues vamos [b]a ver si esto funciona[/b] porque "todavía" no lo sé [i][u]bien[/u][/i]

This text is stored in a variable called $texto. Once htmlspecialchars() applied to the variable, I go through where I´m finding the problem:

$texto = str_replace(""","\"",$texto); //para comillas
$texto = str_replace("&lt;","<",$texto); // para <
$texto = str_replace("&gt;",">",$texto); // para >

But no modification is done. If I remove the character & works, how can I fix this problem?

mickmackusa
  • 43,625
  • 12
  • 83
  • 136
Egoi Cantero Viqueira
  • 79
  • 8
  • `htmlspecialcharacters()` isn't a native php function. Show us what you are really doing at that point. – mickmackusa Jul 09 '17 at 03:33
  • It sounds like you're double encoding, use `htmlspecialchars($texto, ENT_QUOTES, 'UTF-8', false);` See: http://php.net/manual/en/function.htmlspecialchars.php – Will B. Jul 09 '17 at 03:33
  • @fyrye worked!!! I have tried with some html special characters and seems to work fine with all of them. Answer the question above so that I can validate. Thanks! – Egoi Cantero Viqueira Jul 09 '17 at 08:50
  • @EgoiCanteroViqueira added answer as requested – Will B. Jul 10 '17 at 12:19

2 Answers2

0

I'd say don't do that htmlspecialchars() call, and only call str_replace() once:

Code: (Demo)

$texto="&lt;div onclick=&quot;alert('código inyectado');&quot;&gt;Texto&lt;/div&gt;

[img]http://www.hobbyconsolas.com/sites/hobbyconsolas.com/public/media/image/2015/07/503196-halo-5-guardians-nuevos-datos-campana-cooperativa.jpg[/img]

Y aquí una URL: [url]https://www.google.es/?gws_rd=ssl[/url]

Bueno pues vamos [b]a ver si esto funciona[/b] porque &quot;todavía&quot; no lo sé [i][u]bien[/u][/i]";
//$texto=htmlspecialchars($texto);

$texto = str_replace(["&quot;","&lt;","&gt;"],['"','<','>'],$texto);

var_export($texto);

Output:

'<div onclick="alert(\'código inyectado\');">Texto</div>

[img]http://www.hobbyconsolas.com/sites/hobbyconsolas.com/public/media/image/2015/07/503196-halo-5-guardians-nuevos-datos-campana-cooperativa.jpg[/img]

Y aquí una URL: [url]https://www.google.es/?gws_rd=ssl[/url]

Bueno pues vamos [b]a ver si esto funciona[/b] porque "todavía" no lo sé [i][u]bien[/u][/i]'

fyrye's suggestion yields this -- if this is what you are shooting for:

'<div onclick="alert(&#039;código inyectado&#039;);">Texto</div>

[img]http://www.hobbyconsolas.com/sites/hobbyconsolas.com/public/media/image/2015/07/503196-halo-5-guardians-nuevos-datos-campana-cooperativa.jpg[/img]

Y aquí una URL: [url]https://www.google.es/?gws_rd=ssl[/url]

Bueno pues vamos [b]a ver si esto funciona[/b] porque "todavía" no lo sé [i][u]bien[/u][/i]'
mickmackusa
  • 43,625
  • 12
  • 83
  • 136
0

It sounds like you're double encoding. To avoid the double encoding you can use.

htmlspecialchars($texto, ENT_QUOTES, 'UTF-8', false);

See: http://php.net/manual/en/function.htmlspecialchars.php

Will B.
  • 17,883
  • 4
  • 67
  • 69